• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
Compliance, Network Security, News

Watch Out For This Chameleon Phishing Scheme

Trustwave SpiderLabs is warning of a chameleon-like phishing scheme that adapts its background page and logo depending on the user input.

March 25, 2022 TD Staff Leave a Comment

Tessian phishing emails
Rogatnev/stock.adobe.com

Security researchers at TrustWave SpiderLabs encountered a phishing scheme that acts like a chameleon by changing and blending its color based on its environment. The site adapts its background page and logo depending on the user input to trick victims into giving away their email credentials.

The phishing scheme starts with an email asking the target to click on a provided link to access a document. By clicking on the link, it leads to a fabricated webpage. The victim’s email address is already provided, where the site asks for the victims password.

The browser looks just like another run of the mill phishing site, notes SpiderLabs, but the phishing URLs format is the victim’s email address and is referenced on the URL fragment. By removing the fragment part of the URL containing the victims’ email address, the web graphics disappear, making the login page look bland. The researchers at Spider Labs created a dummy email address and username and used a common email provider domain like gmail.com and Outlook.com and the results changed for each domain.

The site acts like a chameleon by changing and blending its images to camouflage itself. The researchers noted four noticeable web elements that changed whenever they tested a new email address in the browser: the page’s background, a blurred logo, the title tab, and the capitalized text of the domain from the email address provider.

Related: Phishing, Ransomware Continue To Plague Businesses As Awareness Stagnates

SpiderLabs researchers took it deeper look into how the changes happen on the website’s backend by viewing the source code, however the site doesn’t allow that action when they did a right click of the mouse. Instead, they used a keyboard shortcut for this in a Google Chrome browser, CTRL+U, which opens a new page tab containing the code.

The scripts in the source code showed how the threat actors created their behind-the-scenes trickery. In the JavaScript code, the declared string variable my_slice was used. The supplied email address was validated with a regular expression then parsed to extract the domain name.

Here are SpiderLabs’ findings within the source code:

The Page Background

The iframe with ID mainPage was concatenated with text protocol https:// and the variable my_slice to be its source attribute. This action pulls in content from the domain in the email address, and this helps make the webpage believable, so the victim won’t notice that an incorrect webpage is being accessed.

The Blurred Logo

The code sourced the logo from Google favicon API. The my_slice variable was used in the API query to find the matching logo to make the phishing webpage realistic. The sourced logo seemed small, it was stretched, and that’s why it looks blurry on the webpage.

The Tab Title and the Capitalized Text Beside the Logo

The parsed domain name variable, my_slice, then undergoes another parsing, disregarding the TLD, extracting the brand, and using it for the logoname global variable.

The code also included various input text field validators to check the text of the email address and password.

As the victim keys in their password, a notification will appear, “Invalid Details, Please try again.” The submit button’s text shifts from Continue to Sign in. Unknowingly to the user, each time the button is clicked, the email and password data are forwarded to the attacker’s server. After three tries, it finally redirects the victim to the correct website. Once more, the variable my_slice is used by concatenating with “http://www.” to be the final landing page destination.

SpiderLabs warns these chameleon phishing sites are used repeatedly by malware authors to cleverly trick users into thinking these pages are real. The bad actors can customize the template and use other domains to host the scripts, allowing attackers to prey on unsuspecting users.

Tagged With: Chameleon Phishing Scheme, Cybersecurity, phishing

Related Content:

  • Google G Suite, Workspace Most Users Google’s G Suite Legacy Free Edition…
  • Microsoft Cloud for Sustainability Microsoft Cloud for Sustainability Helps Organizations Manage Their…
  • cybersecurity, business. MAPP, Syxsense Syxsense Joins Microsoft Active Protections Program (MAPP)
  • Weston School District Digital Signage Weston School District Implements Digital Signage Strategy with…

Free downloadable guide you may like:

  • The State of the IT Department in 2022

    The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to making business decisions. Check out our new report to see what your peers in IT think about top concerns and opportunities in 2022.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

Hybrid Work Challenges
The Three Most Common Hybrid Work Challenges Two Years Into the Pandemic

Many of us have been working in a hybrid environment for two years now. Our editors thought this would be a good time to take a look at what’s work...

These 10 IT Certifications Are Critical To An IT Pro’s Success in 2022

Here are 10 cloud, data and security certifications that we identify as critical to an IT professional’s resume in 2022 and beyond, according to a ...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2022 Emerald X, LLC. All rights reserved.